InstallBuilder version 22.10.0 has been released. Our engineers have been working on the following improvements and bug fixes:
UPDATE:
We have created a CVE entry for the “Improved DLL loading on Qt installers” (CVE-2022-31694) issue fixed in InstallBuilder 22.10.0.
DLL planting vulnerability in InstallBuilder for Qt installers (CVE-2022-31694 )
InstallBuilder for Qt Windows installers using dialog actions (popups) are vulnerable to DLL hijacking attacks.
Background
InstallBuilder Qt installers built with versions previous to 22.10 try to load DLLs from the installer binary parent directory when displaying popups. This may allow an attacker to plant a malicious DLL in the installer parent directory to allow executing code with the privileges of the installer (when the popup triggers the loading of the library.)
Exploiting these types of vulnerabilities generally requires that an attacker has access to a vulnerable machine to plant the malicious DLL.
Remediation
Affected InstallBuilder for Qt customers should update to InstallBuilder 22.10.0 or later and release new versions.
We would like to thank Marius Gabriel Mihai for reporting the issue.